In a two-tier hierarchy CA design, what is a common security best practice?
Only FIPS-compliant hardware security modules are used.
The root CA server is offline.
The intermediate or policy CA server is offline.
The issuing CA servers are placed in different geographical locations.